The branch, v4-0-test has been updated
via 816bb64a56a75d1eb5e879b4abf211af27243686 (commit)
via 6673a6e62399c4956a44a06685aa91ce8145b92a (commit)
via 514d88580bee3bb17f1032262f5518e3ab2a349a (commit)
via c2df7ffa6d67dd9381d10397c679746547cd5e17 (commit)
via 15d0951b74b46763024560f9cd012338473c5bc3 (commit)
via 736ce50afd9da9b5fbc3db777fd5341dfa4b721a (commit)
via 26c2a34dec26890230dfa86827804d8160061ce5 (commit)
from 9678085f75b6cb0ed068e22f3d9f94247b200ce2 (commit)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v4-0-test
- Log -----------------------------------------------------------------
commit 816bb64a56a75d1eb5e879b4abf211af27243686
Author: Andrew Bartlett <[EMAIL PROTECTED]>
Date: Thu Jul 31 23:17:20 2008 +1000
Update to a working trustAuthIncoming and trustAuthOutgoing parser.
This is based on the docs, as well as testing against a domain trust
in windows.
Clearly it needs to be more general - perhaps a non IDL parser?
Andrew Bartlett
commit 6673a6e62399c4956a44a06685aa91ce8145b92a
Author: Andrew Bartlett <[EMAIL PROTECTED]>
Date: Thu Jul 31 21:23:48 2008 +1000
Print trustAuthOutgoing and trustAuthIncoming in RPC-DSSYNC
commit 514d88580bee3bb17f1032262f5518e3ab2a349a
Author: Andrew Bartlett <[EMAIL PROTECTED]>
Date: Thu Jul 31 10:51:59 2008 +1000
Use the cldap reply to avoid segfaulting in RPC-DSSYNC
Also don't fail the test if the server does not implement the NT4
changelog.
Andrew Bartlett
commit c2df7ffa6d67dd9381d10397c679746547cd5e17
Author: Andrew Bartlett <[EMAIL PROTECTED]>
Date: Thu Jul 31 09:07:57 2008 +1000
Don't fail if the domain has a trust already.
Andrew Bartlett
commit 15d0951b74b46763024560f9cd012338473c5bc3
Merge: 736ce50afd9da9b5fbc3db777fd5341dfa4b721a
9678085f75b6cb0ed068e22f3d9f94247b200ce2
Author: Andrew Bartlett <[EMAIL PROTECTED]>
Date: Thu Jul 31 07:48:16 2008 +1000
Merge branch 'v4-0-test' of ssh://git.samba.org/data/git/samba into
4-0-local
commit 736ce50afd9da9b5fbc3db777fd5341dfa4b721a
Author: Andrew Bartlett <[EMAIL PROTECTED]>
Date: Thu Jul 31 07:47:01 2008 +1000
Start implementind domain trusts in our KDC.
Andrew Bartlett
commit 26c2a34dec26890230dfa86827804d8160061ce5
Author: Andrew Bartlett <[EMAIL PROTECTED]>
Date: Thu Jul 31 07:45:30 2008 +1000
Update trustAuthInOutBlob in line with MS-ADTS 7.1.6.8.1
-----------------------------------------------------------------------
Summary of changes:
source/kdc/hdb-ldb.c | 40 ++++++++++++++---
source/librpc/idl/drsblobs.idl | 97 +++++++++++++++++++++++++++-------------
source/torture/rpc/dssync.c | 42 ++++++++++++++---
source/torture/rpc/lsa.c | 7 +++-
4 files changed, 139 insertions(+), 47 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source/kdc/hdb-ldb.c b/source/kdc/hdb-ldb.c
index 8f8ce30..a997eb0 100644
--- a/source/kdc/hdb-ldb.c
+++ b/source/kdc/hdb-ldb.c
@@ -853,7 +853,8 @@ static krb5_error_code LDB_fetch_krbtgt(krb5_context
context, HDB *db,
{
krb5_error_code ret;
struct ldb_message **msg = NULL;
- struct ldb_message **realm_ref_msg = NULL;
+ struct ldb_message **realm_ref_msg_1 = NULL;
+ struct ldb_message **realm_ref_msg_2 = NULL;
struct ldb_dn *realm_dn;
krb5_principal alloc_principal = NULL;
@@ -864,14 +865,18 @@ static krb5_error_code LDB_fetch_krbtgt(krb5_context
context, HDB *db,
}
/* krbtgt case. Either us or a trusted realm */
+
if ((LDB_lookup_realm(context, (struct ldb_context *)db->hdb_db,
- mem_ctx, principal->name.name_string.val[1],
&realm_ref_msg) == 0)) {
+ mem_ctx, principal->realm, &realm_ref_msg_1) == 0)
+ && (LDB_lookup_realm(context, (struct ldb_context *)db->hdb_db,
+ mem_ctx, principal->name.name_string.val[1],
&realm_ref_msg_2) == 0)
+ && (ldb_dn_cmp(realm_ref_msg_1[0]->dn, realm_ref_msg_1[0]->dn) ==
0)) {
/* us */
/* Cludge, cludge cludge. If the realm part of krbtgt/realm,
* is in our db, then direct the caller at our primary
- * krgtgt */
+ * krbtgt */
- const char *dnsdomain =
ldb_msg_find_attr_as_string(realm_ref_msg[0], "dnsRoot", NULL);
+ const char *dnsdomain =
ldb_msg_find_attr_as_string(realm_ref_msg_1[0], "dnsRoot", NULL);
char *realm_fixed = strupper_talloc(mem_ctx, dnsdomain);
if (!realm_fixed) {
krb5_set_error_string(context, "strupper_talloc: out of
memory");
@@ -891,8 +896,26 @@ static krb5_error_code LDB_fetch_krbtgt(krb5_context
context, HDB *db,
return ENOMEM;
}
principal = alloc_principal;
- realm_dn = samdb_result_dn((struct ldb_context *)db->hdb_db,
mem_ctx, realm_ref_msg[0], "nCName", NULL);
+ realm_dn = samdb_result_dn((struct ldb_context *)db->hdb_db,
mem_ctx, realm_ref_msg_1[0], "nCName", NULL);
} else {
+ enum direction {
+ INBOUND,
+ OUTBOUND
+ }
+
+ struct loadparm_context *lp_ctx =
talloc_get_type(ldb_get_opaque(ldb, "loadparm"), struct loadparm_context *);
+ /* Either an inbound or outbound trust */
+
+ if (strcasecmp(lp_realm(lp_ctx), principal->realm) == 0) {
+ /* look for inbound trust */
+ }
+
+ if (strcasecmp(lp_realm(lp_ctx),
principal->name.name_string.val[1]) == 0) {
+ /* look for outbound trust */
+ }
+
+ /* Trusted domains are under CN=system */
+
/* we should lookup trusted domains */
return HDB_ERR_NOENTRY;
}
@@ -1022,10 +1045,13 @@ static krb5_error_code LDB_fetch(krb5_context context,
HDB *db,
if (ret != HDB_ERR_NOENTRY) goto done;
}
if (flags & HDB_F_GET_SERVER) {
- ret = LDB_fetch_server(context, db, mem_ctx, principal, flags,
entry_ex);
- if (ret != HDB_ERR_NOENTRY) goto done;
+ /* krbtgt fits into this situation for trusted realms, and for
resolving different versions of our own realm name */
ret = LDB_fetch_krbtgt(context, db, mem_ctx, principal, flags,
entry_ex);
if (ret != HDB_ERR_NOENTRY) goto done;
+
+ /* We return 'no entry' if it does not start with krbtgt/, so
move to the common case quickly */
+ ret = LDB_fetch_server(context, db, mem_ctx, principal, flags,
entry_ex);
+ if (ret != HDB_ERR_NOENTRY) goto done;
}
if (flags & HDB_F_GET_KRBTGT) {
ret = LDB_fetch_krbtgt(context, db, mem_ctx, principal, flags,
entry_ex);
diff --git a/source/librpc/idl/drsblobs.idl b/source/librpc/idl/drsblobs.idl
index adfc010..b0cddfc 100644
--- a/source/librpc/idl/drsblobs.idl
+++ b/source/librpc/idl/drsblobs.idl
@@ -1,6 +1,6 @@
#include "idl_types.h"
-import "drsuapi.idl", "misc.idl";
+import "drsuapi.idl", "misc.idl", "samr.idl";
[
uuid("12345778-1234-abcd-0001-00000001"),
@@ -359,9 +359,55 @@ interface drsblobs {
typedef struct {
NTTIME time1;
uint32 unknown1;
+ DATA_BLOB value;
+ [flag(NDR_ALIGN4)] DATA_BLOB _pad;
+ } trustAuthInOutSecret1;
+
+ typedef struct {
+ [relative] trustAuthInOutSecret1 *value1;
+ [relative] trustAuthInOutSecret1 *value2;
+ } trustAuthInOutCtr1;
+
+ typedef [v1_enum] enum {
+ TRUST_AUTH_TYPE_NONE = 0,
+ TRUST_AUTH_TYPE_NT4OWF = 1,
+ TRUST_AUTH_TYPE_CLEAR = 2,
+ TRUST_AUTH_TYPE_VERSION = 3
+ } trustAuthType;
+
+ typedef struct {
+ [value(0)] uint32 size;
+ } AuthInfoNone;
+
+ typedef struct {
+ [value(16)] uint32 size;
+ samr_Password password;
+ } AuthInfoNT4Owf;
+
+ typedef struct {
+ uint32 size;
+ uint8 password[size];
+ } AuthInfoClear;
+
+ typedef struct {
+ [value(4)] uint32 size;
+ uint32 version;
+ } AuthInfoVersion;
+
+ typedef [nodiscriminant] union {
+ [case(TRUST_AUTH_TYPE_NONE)] AuthInfoNone none;
+ [case(TRUST_AUTH_TYPE_NT4OWF)] AuthInfoNT4Owf nt4owf;
+ [case(TRUST_AUTH_TYPE_CLEAR)] AuthInfoClear clear;
+ [case(TRUST_AUTH_TYPE_VERSION)] AuthInfoVersion version;
+ } AuthInfo;
+
+ typedef struct {
+ NTTIME LastUpdateTime;
+ trustAuthType AuthType;
+
/*
* the secret value is encoded as UTF16 if it's a string
- * but krb5 trusts have random bytes here, so converting to
UTF16
+ * but depending the AuthType, it might also be krb5 trusts
have random bytes here, so converting to UTF16
* mayfail...
*
* TODO: We should try handle the case of a random buffer in
all places
@@ -372,49 +418,36 @@ interface drsblobs {
* uint32 value_len;
* [charset(UTF16)] uint8 value[value_len];
*/
- DATA_BLOB value;
+ [switch_is(AuthType)] AuthInfo AuthInfo;
[flag(NDR_ALIGN4)] DATA_BLOB _pad;
- } trustAuthInOutSecret1;
+ } AuthenticationInformation;
typedef struct {
- [relative] trustAuthInOutSecret1 *value1;
- [relative] trustAuthInOutSecret1 *value2;
- } trustAuthInOutCtr1;
+ AuthenticationInformation info[1];
+ } AuthenticationInformation1;
typedef struct {
- NTTIME time1;
- uint32 unknown1;
- DATA_BLOB value;
- NTTIME time2;
- uint32 unknown2;
- uint32 unknown3;
- uint32 unknown4;
- [flag(NDR_ALIGN4)] DATA_BLOB _pad;
- } trustAuthInOutSecret2V1;
+ AuthenticationInformation info[2];
+ } AuthenticationInformation2;
typedef struct {
- NTTIME time1;
- uint32 unknown1;
- DATA_BLOB value;
- NTTIME time2;
- uint32 unknown2;
- uint32 unknown3;
- [flag(NDR_ALIGN4)] DATA_BLOB _pad;
- } trustAuthInOutSecret2V2;
+ [relative] AuthenticationInformation1 *current;
+ [relative] AuthenticationInformation1 *previous;
+ } AuthenticationInformationCtr1;
typedef struct {
- [relative] trustAuthInOutSecret2V1 *value1;
- [relative] trustAuthInOutSecret2V2 *value2;
- } trustAuthInOutCtr2;
+ [relative] AuthenticationInformation2 *current;
+ [relative] AuthenticationInformation2 *previous;
+ } AuthenticationInformationCtr2;
typedef [nodiscriminant] union {
- [case(1)] trustAuthInOutCtr1 ctr1;
- [case(2)] trustAuthInOutCtr2 ctr2;
- } trustAuthInOutCtr;
+ [case(1)] AuthenticationInformationCtr1 info1;
+ [case(2)] AuthenticationInformationCtr2 info2;
+ } AuthenticationInformationCtr;
typedef [public] struct {
- uint32 version;
- [switch_is(version)] trustAuthInOutCtr ctr;
+ uint32 count;
+ [switch_is(count)] AuthenticationInformationCtr auth;
} trustAuthInOutBlob;
void decode_trustAuthInOut(
diff --git a/source/torture/rpc/dssync.c b/source/torture/rpc/dssync.c
index 2930a9b..d340543 100644
--- a/source/torture/rpc/dssync.c
+++ b/source/torture/rpc/dssync.c
@@ -34,6 +34,7 @@
#include "libcli/auth/libcli_auth.h"
#include "auth/gensec/gensec.h"
#include "param/param.h"
+#include "dsdb/samdb/samdb.h"
struct DsSyncBindInfo {
struct dcerpc_pipe *pipe;
@@ -314,6 +315,14 @@ static bool test_GetInfo(struct torture_context *tctx,
struct DsSyncTest *ctx)
printf("cldap_netlogon() returned Server Site-Name:
%s.\n",search.out.netlogon.nt5_ex.server_site);
}
+ if (!ctx->domain_dn) {
+ struct ldb_context *ldb = ldb_init(ctx, tctx->ev);
+ struct ldb_dn *dn = samdb_dns_domain_to_dn(ldb, ctx,
search.out.netlogon.nt5_ex.dns_domain);
+ ctx->domain_dn = ldb_dn_alloc_linearized(ctx, dn);
+ talloc_free(dn);
+ talloc_free(ldb);
+ }
+
return ret;
}
@@ -465,6 +474,9 @@ static void test_analyse_objects(struct torture_context
*tctx,
DATA_BLOB *enc_data = NULL;
DATA_BLOB plain_data;
struct drsuapi_DsReplicaAttribute *attr;
+ ndr_pull_flags_fn_t pull_fn = NULL;
+ ndr_print_fn_t print_fn = NULL;
+ void *ptr = NULL;
attr = &cur->object.attribute_ctr.attributes[i];
switch (attr->attid) {
@@ -486,6 +498,9 @@ static void test_analyse_objects(struct torture_context
*tctx,
break;
case DRSUAPI_ATTRIBUTE_supplementalCredentials:
name = "supplementalCredentials";
+ pull_fn =
(ndr_pull_flags_fn_t)ndr_pull_supplementalCredentialsBlob;
+ print_fn =
(ndr_print_fn_t)ndr_print_supplementalCredentialsBlob;
+ ptr = talloc(ctx, struct
supplementalCredentialsBlob);
break;
case DRSUAPI_ATTRIBUTE_priorValue:
name = "priorValue";
@@ -495,9 +510,15 @@ static void test_analyse_objects(struct torture_context
*tctx,
break;
case DRSUAPI_ATTRIBUTE_trustAuthOutgoing:
name = "trustAuthOutgoing";
+ pull_fn =
(ndr_pull_flags_fn_t)ndr_pull_trustAuthInOutBlob;
+ print_fn =
(ndr_print_fn_t)ndr_print_trustAuthInOutBlob;
+ ptr = talloc(ctx, struct trustAuthInOutBlob);
break;
case DRSUAPI_ATTRIBUTE_trustAuthIncoming:
name = "trustAuthIncoming";
+ pull_fn =
(ndr_pull_flags_fn_t)ndr_pull_trustAuthInOutBlob;
+ print_fn =
(ndr_print_fn_t)ndr_print_trustAuthInOutBlob;
+ ptr = talloc(ctx, struct trustAuthInOutBlob);
break;
case DRSUAPI_ATTRIBUTE_initialAuthOutgoing:
name = "initialAuthOutgoing";
@@ -528,7 +549,6 @@ static void test_analyse_objects(struct torture_context
*tctx,
name, (long)enc_data->length,
(long)plain_data.length));
if (plain_data.length) {
enum ndr_err_code ndr_err;
- struct supplementalCredentialsBlob scb;
dump_data(0, plain_data.data,
plain_data.length);
if (save_values_dir) {
char *fname;
@@ -545,15 +565,20 @@ static void test_analyse_objects(struct torture_context
*tctx,
talloc_free(fname);
}
- ndr_err = ndr_pull_struct_blob_all(&plain_data,
tctx,
- lp_iconv_convenience(tctx->lp_ctx),
&scb,
-
(ndr_pull_flags_fn_t)ndr_pull_supplementalCredentialsBlob);
- if (NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
-
NDR_PRINT_DEBUG(supplementalCredentialsBlob, &scb);
+ if (pull_fn) {
+ ndr_err =
ndr_pull_struct_blob_all(&plain_data, ptr,
+
lp_iconv_convenience(tctx->lp_ctx), ptr,
+
pull_fn);
+ if (NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+ ndr_print_debug(print_fn, name,
ptr);
+ } else {
+ DEBUG(0, ("Failed to decode
%s\n", name));
+ }
}
} else {
dump_data(0, enc_data->data, enc_data->length);
}
+ talloc_free(ptr);
}
}
}
@@ -800,7 +825,10 @@ static bool test_FetchNT4Data(struct torture_context *tctx,
r.in.req.req1.data = cookie.data;
status =
dcerpc_drsuapi_DsGetNT4ChangeLog(ctx->new_dc.drsuapi.pipe, ctx, &r);
- if (!NT_STATUS_IS_OK(status)) {
+ if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_IMPLEMENTED)) {
+ printf("DsGetNT4ChangeLog not supported by target
server\n");
+ break;
+ } else if (!NT_STATUS_IS_OK(status)) {
const char *errstr = nt_errstr(status);
if (NT_STATUS_EQUAL(status, NT_STATUS_NET_WRITE_FAULT))
{
errstr = dcerpc_errstr(ctx,
ctx->new_dc.drsuapi.pipe->last_fault_code);
diff --git a/source/torture/rpc/lsa.c b/source/torture/rpc/lsa.c
index e6102f0..4fb459e 100644
--- a/source/torture/rpc/lsa.c
+++ b/source/torture/rpc/lsa.c
@@ -1830,7 +1830,12 @@ static bool test_EnumTrustDom(struct dcerpc_pipe *p,
enum_status = dcerpc_lsa_EnumTrustDom(p, mem_ctx, &r);
- if (!(NT_STATUS_EQUAL(enum_status, STATUS_MORE_ENTRIES) ||
NT_STATUS_EQUAL(enum_status, NT_STATUS_NO_MORE_ENTRIES))) {
+ if (NT_STATUS_IS_OK(enum_status)) {
+ if (domains.count == 0) {
+ printf("EnumTrustDom failed - should have returned
'NT_STATUS_NO_MORE_ENTRIES' for 0 trusted domains\n");
+ return false;
+ }
+ } else if (!(NT_STATUS_EQUAL(enum_status, STATUS_MORE_ENTRIES) ||
NT_STATUS_EQUAL(enum_status, NT_STATUS_NO_MORE_ENTRIES))) {
printf("EnumTrustDom of zero size failed - %s\n",
nt_errstr(enum_status));
return false;
}
--
Samba Shared Repository
